Now Symantec researchers have discovered a worm-like version of the trojan that targets Windows. Like the Mac version, this strain was installed onto victims' machines if they visited a compromised website that pushed a malicious JAR file.

Crisis then would search its target system for a virtual machine component and could make a copy of itself so it can "mount" the virtual image.

"A virtual machine on anybody's computer...is essentially one large file which can be loaded with, for example, VMware Player," Thadkur said. "What Crisis is doing is it gets on the host computer and looks around and says, 'is there a VM file sitting around here somewhere?' If it finds it, it uses the same tools [such as VMware Player] to mount [the virtual machine]."

Normally malware purposely avoided running in virtual environments because its authors feared it would be studied. VMs are a common place for researchers to conduct malware analysis, but average users rarely run them, Thadkur said.

"Most trojans bail when they detect a virtual machine," he said. "It's the other way around in this case. It has the capability and it wants to get on virtual machines."

The threat of Crisis is "extremely low," he said, and researchers have reportedly spotted only a couple dozen infections.

That may be due to its apparent link between Crisis and a commercial malware package sold by Italy-based Hacker Team.

According to its website, the company's Remote Control System is only sold to government and law enforcement agencies and is "designed to evade encryption by means of an agent directly installed on the device to monitor."

Researchers at Intego first got their hands on the malicious code when a victim uploaded it to scanning portal VirusTotal. It appears the trojan was targeting "a group of independent Moroccan journalists who received an award from Google for their efforts during the Arab Spring revolution," researchers said in a July 26 blog post.

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.